Domain 1 - Security and Risk management Flashcards

Question

What is PII and what are some approaches to protecting privacy?

Answer 1

* Personal Identifiable information (PII): data that can be used to uniquely identify or locate single person. * Full name, National ID number, vehicle plate number, drivers license number, credit card numbers and etc * Two approaches - generic approach accross all industries, regulation by industry is verticle enactment, such as financial or healthcare. * Need for privacy: * Data aggregation and retrieval advancement * Loss of boarders: business globalisation * Convergent technlogies advancement: gathering, mining

Answer 2

* Federal privacy act: ensures agencies cannot disclose information about an individual without permission. medical, criminal, education. * FISMA: Requires every agengcy create a security program to provide protection on systems. NIST 800-37 helps ensure compliance. * VA ACT: Specifically for the department of VA because of a laptop theft incident that disclosed 26.5 million records. Was not compliant. * US Patiout ACT: eases restrictions on law enforement, foriegn intelligence in the USA.

Answer 3

* HIPPA: national standard for the storage, use, and transmission of personal medical information and healthcare. Also applies to any facility that creates, accesses, shares or destroys medical info * HITECH: addresses the privacy and security concerns of electronic transmission of health records, and the civil and criminal enforcement. * GLBA: Requires financial institutions to develop privacy notices, and enable customers to opt out of information sharing. Ensures directors are responsible for the security. * PIPEDA: main goal is oversee how th private sector collects, uses, and discloses personal information in regular business.

Answer 4

* PCI DSS is a proactive step the credit card industry took. * applies to any entity that processes, trasmits, stores or accepts credit card data. * made up of 12 requirements broken up into 6 categories: * Build and maintain a secure Network * Protect cardholder data * maintain a vulnerability management program * implement strong access control * Regularly monitor and test networks * maintain an information security policy.

Answer 5

* Overall general statement produced by senior management. * Need to be technology and solution independant * Can be: * Organisational: establishes how a security program will be set up, lays out the goals, assigns responsibility. * Issue-specific: specific issue that management feel need more attention to ensure its clear how to comply. Eg email policy * System specific: represents decisions that specific to the actual computers, networks and applications. eg. how a senstive database should be locked down or laptops locked down. * Types of policies: * Regulatory: applies to some regulation such as HIPPA, FISMA * Advisory: strongly advises employees what is acceptable * informative: not an enforceable policy.

Answer 6

* Mandatory activities, actions, or rules and gives a policy its support. * Ensures specific technologies, applications, and procedures are implemented in a uniform (Standardised) manner. * These rules are compulsory and must be enforced * For example, for issue-specific data classification policy "All confidential data must be protected". A corresponding standard "Confidential information must be protected with AES256 at rest & transit".

Answer 7

* Baselines are: * Refers to a point in time that is used as a comparison for future changes. * Used to define the minimum level of protection required. * Guidelines: * Recommended actions and operational guides to users, IT & Operation staff when a specific standard doesnt apply * Procedures: * Considered lowest level in the documentation chain because they are closest to the computers and users, and spell out how the policy, standards and guidelines will be implemented

Answer 8

* Process of identifying and assessing risk, reducing it an acceptable level, and ensuring it remains at that level. * Requires skils in identifying threats, assessing probablility and the impact, and then taking the steps to reduce overall risk. * According to NIST SP 800-39: * Organisation: risks to the business as a whole * Business Process: risks to major functions of the organisation * Information systems: risks from a systems perspective * Information systems risk management policy requires commitment from senior management. Defines the level of risks, formal processes, mapping of risk to internal controls.

Answer 9

* NIST SP 800-39 describes four interrelated components: * Frame risk: defines the context within which all other risk activities takes place * Assess risk: * Respond to risk: matching our limited resources with our prioritized set of controls * Monitor risk: monitor the effectiveness of our controls against the risks.

Answer 10

Information systems consists of information, processes and people. Information: * Data at rest: copied and given to unauthorised parties * Data in motion: modified and intercepting it on the network * Data in use: exploiting race condition, TOC/TOU Processes: Specific kind of software vulnerability, but should include business processes. People: Social enginering, Social networks, passwords - weak passwords.

Answer 11

* Attack trees: Based on the observation that there are multiple ways to accomplish a given objective * Branches created by each decision point create what is known as an attack tree * Each of the leaf nodes represents a specific condition that must be met in order for the parent node to be effective. * Successful attack, is one in which the attacker traverses from a leaf node all the way to the root. * Reduction Analysis, two focal points: * One aspect is to reduce the number of attacks, and the other is to reduce the threat posed by the attack. * Closer you are to the root when you implement a mitigation, the more leaf conditions you will defeat.

Answer 12

**Risk assessment** is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement controls. **Risk analysis** priortize their risks and shows management the amount of resources that should be applied to protecting against those risks. * Identify assests and their value * Determine the likelihood that a threat exploits vulnerability * Determine the business impact * Provide balance between impact of threat and cost of countermeasure - cost/benefit analysis

Answer 13

* NIST SP 800-30 * Prepare for the assessment * Conduct the assessment (identify threat sources, vulnerabilties, likeihood, impact, risk) * Communicate results * Maintain assessment * Faciliatated Risk Analysis Process (FRAP): inteded to analyze one system, application, or business process at a time. Scope of the assessment is small, and cannot use calculations such as ALE. * Operationally Critical Threat, Asset, and Vulnerability Evaluation (Octave) is more in-depth assessement that requires workshops, to help ensure team members understand the methodology. Much wider in scope. * ISO 31000 developed by AUS/NZ, is broader approach to understand, financal, safety, and business decisions. * ISO 27005 is a standard for how risk management should be carried out in the framework of an ISMS, deals with IT and softer issues. * Failure Modes and effect Analysis (FMEA): method of determining functions, identifying functional failures, and assesing the causes of failure and their failure effects. Not as useful in complex environments. Involves the following steps: * Block diagram of a system or control * what happens if each block fails * In a table, identify which failures are paired with their effects and evaluation of the effects. * Adjust the table until the system is not known to have unacceptable problems * Several engineers review the FMEA. * Fault tree analysis is better at complex environments, by first having an undesired effect as the root, and then each situation that has the potential to cause that effect is added to the tree. * Central Computing and Telecommunications Agency Risk Analysis and management method (CRAMM) works in three stages: defines objectives, assess risks, and identify countermeaures. But, has questionnaires, asset dependency modeling, assessment formulas and etc) in an automated tool.

Answer 14

* Use mathematical forumals for data interpretation. * Single loss expectancy: loss from a single instance * Asset Value x Exposure Factor (EF) = SLE, EF is % of loss * Annulaised loss Expectancy (ALE): Loss in a year. * SLE x Annualized Rate of Occurence (ARO) = ALE * Control selected \<= ALE * Considerations: Uncertanity is the degree to which you lack confidence in an estatimate. * Main issues are the calculations are complex, laborious without tools, more preliminary work is needed.

Answer 15

* Monetary values are NOT used, instead a matrix of likelihood vs consquences ranking from low to high or 1-5 on each axis, is used to represent the risk. * Once selected personnel agree on the findings, then this is presented to management to help make decisions. Benefited by the communication that must happen amongst the team to identify the risk. * Can use the delphi technique to ensure team members opinions are made anonymous to prevent people from being pressured to vote a certain way.

Answer 16

* RMF is a structed process that identifies, assess, reduces, and ensures it remains at the reduced level. * NIST SP 800-37: takes a systems life cycle approach. * ISO 31000: focusing on uncertainity that leads to unanticipated effects. Much broader framework covering more thant IT. * ISACA Risk IT: Bridges the gap between the generic ISO 31000 and the IT centric NIST. Very well integrated with COBIT. * NIST SP 800 37, specifies 6 steps: * Categorise information systems: define the system, subsystems and boundaries. Any legal requirements. * Select security controls: * Implement security controls * Assess Security controls * Authorise Information system:After examining the risk exposure, determine if the residual risk is acceptable. * Monitor Security controls: has any vulnerabilities been discovered?

Answer 17

* DRP is to handle an incident and its ramifications right after disaster hits. * Business Continuity Planning: include getting critical systems to another environment while repair of the original facilities is under way. Planning is getting the right people to the right places, documenting the neccessary configurations, establishing alternative communication channels, providing power and making sure all dependencies are properly understood. * Business continutity Management (BCM) is the holistic management of both DRP and BCP.

Answer 18

* NIST SP 800-34, steps * Develop the continuity planning statment: assigns authority to the neccessary roles * Conduct the Business Impact Analysis (BIA): Identifies critial systems/app and the associated vulnerabilies and risk * Identify preventitive controls: to minimize the risk * Create contingency strategies: methods to bring systems up quickly. * Develop an information system contingency plan: Write policies and procedures for how to be operational in critical state. * Ensure plan, testing, and exercises. * Ensure plan maintainence. * ISO 27031/2011: Guidelines for readiness for business continuity * ISO 22331:2012:

Answer 19

* Understanding the organisation first, using frameworks such as Zachmans framework as it allows you to understand the company's architecture and picies and components. * CBK is broken down into eight domains, which are top tier disciples, and thus each company should have at least 8 sets of policies, procedures. * Senior management must known the responsibility and has the view that extends beyond each functional manager's focus. * To get BCP support from management, business cases must be made include vulnerabilites, legal obligations, and current status of recovery. * Include a cost/benefits should include shareholder, stakeholder, regulatory, and legislative impacts.

Answer 20

* Setting up budget and staff for the program (BCP committee). * Assigning duties and responsibilties to the BCP coordinator and to the representatives. * Senior management kick-off the BCP program with formal annocement. * Awareness-raising activities to let employees known about the BCP program and to build internal support for it. * Establishment of skills training for the support of the BCP effort. * Start the data collection throughout the organisation to aid in crafting various continuity options. * Putting into effect quick wins and low hanging fruit

Answer 21

* Is a functional analysis in which a team collects data through interviews and documentary sources; documents business function, develops a hierarchy of business functions; and finally applies a classification scheme to indicate each individual function's criticality level. * BCP committee must identity the threats to the company and map them to the following: * Maxiumum tollerable downtime: Nonessential 30 days to Critical minutes to hours. * Operational disruption and productivity * FInancial considerations * Regulatory responsibilties * Reputation * BIA is conducted after the data gathering phases.

Answer 22

Managements responsibility: * Committing fully to the BCP * Setting policy and goals * Make available the neccessary funds and ressources * Taking responsibility for the outcome of the development of the BCP * Appointment a team for the process BCP team's responsbility are as follows: * Identifying regulatory and legal requirements * identifying all possible vulnerabilities and threats * Estimating the possibilties of these threats.

Answer 23

* HR Practices: Hiring qualified individual, conducting background checks, using detailed job descriptions, providing neccessary training, enforcing strict access controls and terminating individuals in way that parties involved. * Seperation of duties: make sure one individual cannot complete a critical tasks by themselves. Collusion must take place for fraud to be commited * Split knowledge: no one person knows everything. Two people need to combine their knowledge to complete some task * dual control. Two people need to be available and active to perform the operation * Rotation of duties: A detective control to uncover fraduelent activities that would have been hidden because they were doing the activity for so long.

Answer 24

* A framework that allows for the security goals of an organisation to be set and expressed by senior management. * Oversight mechanisms developed, to ensure those that are responsible are constantly updated on the health and security of the organisation. * A system of integrated processes that helps ensure consistent oversight, accountability, and compliance. * Use of metrics: * assess the effectiveness of our work, identify deficiencies and prioritise the things that still need work * Measurement will need to happen on a continuous basis so the data collection methods are repeatable * Measurements compared with set values to determine performance. * Industry best practices for metrics include, 27004, NIST 800-55

Answer 25

* Protect society the common good, neccessary public trust and confidence and the infrastructure * Act honorably, Justly responsibly and legally * provide diligent and competent service to principals * advance and protect the profession.

Domain 1 - Security and Risk management Flashcards

Domain one of CISSP (50 cards)